* New upstream release (closes: #395507, #397961, #420035). Important

changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
author: Colin Watson <cjwatson@debian.org> 2007-06-12 16:16:35 +0000
committer: Colin Watson <cjwatson@debian.org> 2007-06-12 16:16:35 +0000
commit: b7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
tree: bed1da11e9f829925797aa093e379fc0b5868ecd /regress
parent: 4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent: 086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)
7 files changed, 239 insertions, 7 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 4f47bc3fd..539956398 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $
+#       $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -40,7 +40,9 @@ LTESTS= 	connect \
                forwarding \
                multiplex \
                reexec \
-                brokenkeys
+                brokenkeys \
+                cfgmatch \
+                forcecommand
 USER!=          id -un
 CLEANFILES=     t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
@@ -49,8 +51,8 @@ CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
                rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
                ls.copy banner.in banner.out empty.in \
-                scp-ssh-wrapper.scp ssh_proxy_envpass \
+                scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
-                remote_pid
+                sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
 #LTESTS +=      ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 6186a8d48..e5fcedda7 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
+#       $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
 #       Placed in the Public Domain.
 tid="disallow agent attach from other uid"
@@ -12,6 +12,11 @@ then
        echo "skipped (not supported on this platform)"
        exit 0
 fi
+if [ -z "$SUDO" ]; then
+        echo "skipped: need SUDO to switch to uid $UNPRIV"
+        exit 0
+fi
 trace "start agent"
 eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 4de2638e4..d5892ed03 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -41,7 +41,7 @@ EOF
        if [ $? -ne 0 ]; then
                fail "gdb failed: exit code $?"
        fi
-        egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
+        egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
        r=$?
        rm -f ${OBJ}/gdb.out
        if [ $r -ne 0 ]; then
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
new file mode 100644
index 000000000..d987dcb97
--- /dev/null
+++ b/regress/cfgmatch.sh
@@ -0,0 +1,106 @@
+#       $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
+#       Placed in the Public Domain.
+tid="sshd_config match"
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwd="-L $fwdport:127.0.0.1:$PORT"
+stop_client()
+{
+        pid=`cat $pidfile`
+        if [ ! -z "$pid" ]; then
+                kill $pid
+                sleep 1
+        fi
+}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
+start_sshd
+#set -x
+# Test Match + PermitOpen in sshd_config.  This should be permitted
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen localhost proto $p"
+        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+            fail "match permitopen permit proto $p"
+        stop_client
+done
+# Same but from different source.  This should not be permitted
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proxy proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match permitopen deny proto $p"
+        stop_client
+done
+# Retry previous with key option, should also be denied.
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy w/key opts proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen w/key opt proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match permitopen deny w/key opt proto $p"
+        stop_client
+done
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen localhost proto $p"
+        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+            fail "match permitopen permit proto $p"
+        stop_client
+done
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+# Test that a Match overrides a PermitOpen in the global section
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy w/key opts proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match override permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match override permitopen proto $p"
+        stop_client
+done
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
new file mode 100644
index 000000000..592511143
--- /dev/null
+++ b/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
+#       $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
+#       Placed in the Public Domain.
+tid="cipher speed"
+getbytes ()
+{
+        sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
+}
+tries="1 2"
+DATA=/bin/ls
+DATA=/bsd
+macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+        arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
+for c in $ciphers; do for m in $macs; do
+        trace "proto 2 cipher $c mac $m"
+        for x in $tries; do
+                echo -n "$c/$m:\t"
+                ( ${SSH} -o 'compression no' \
+                        -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+                        exec sh -c \'"dd of=/dev/null obs=32k"\' \
+                < ${DATA} ) 2>&1 | getbytes
+                if [ $? -ne 0 ]; then
+                        fail "ssh -2 failed with mac $m cipher $c"
+                fi
+        done
+done; done
+ciphers="3des blowfish"
+for c in $ciphers; do
+        trace "proto 1 cipher $c"
+        for x in $tries; do
+                echo -n "$c:\t"
+                ( ${SSH} -o 'compression no' \
+                        -F $OBJ/ssh_proxy -1 -c $c somehost \
+                        exec sh -c \'"dd of=/dev/null obs=32k"\' \
+                < ${DATA} ) 2>&1 | getbytes
+                if [ $? -ne 0 ]; then
+                        fail "ssh -1 failed with cipher $c"
+                fi
+        done
+done
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
new file mode 100644
index 000000000..99e51a60f
--- /dev/null
+++ b/regress/forcecommand.sh
@@ -0,0 +1,42 @@
+#       $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+#       Placed in the Public Domain.
+tid="forced command"
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+echon 'command="true" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echon 'command="true" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+        trace "forced command in key option proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
+echon 'command="false" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echon 'command="false" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand true" >> $OBJ/sshd_proxy
+for p in 1 2; do
+        trace "forced command in sshd_config overrides key option proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand false" >> $OBJ/sshd_proxy
+echo "Match User $USER" >> $OBJ/sshd_proxy
+echo "    ForceCommand true" >> $OBJ/sshd_proxy
+for p in 1 2; do
+        trace "forced command with match proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 3b171144f..9ffbb3dd4 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
+#       $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
 #       Placed in the Public Domain.
 tid="local and remote forwarding"
@@ -34,6 +34,36 @@ for p in 1 2; do
 done
 for p in 1 2; do
+for d in L R; do
+        trace "exit on -$d forward failure, proto $p"
+        # this one should succeed
+        ${SSH} -$p -F $OBJ/ssh_config \
+            -$d ${base}01:127.0.0.1:$PORT \
+            -$d ${base}02:127.0.0.1:$PORT \
+            -$d ${base}03:127.0.0.1:$PORT \
+            -$d ${base}04:127.0.0.1:$PORT \
+            -oExitOnForwardFailure=yes somehost true
+        if [ $? != 0 ]; then
+                fail "connection failed, should not"
+        else
+                # this one should fail
+                ${SSH} -q -$p -F $OBJ/ssh_config \
+                    -$d ${base}01:127.0.0.1:$PORT \
+                    -$d ${base}02:127.0.0.1:$PORT \
+                    -$d ${base}03:127.0.0.1:$PORT \
+                    -$d ${base}01:127.0.0.1:$PORT \
+                    -$d ${base}04:127.0.0.1:$PORT \
+                    -oExitOnForwardFailure=yes somehost true
+                r=$?
+                if [ $r != 255 ]; then
+                        fail "connection not termintated, but should ($r)"
+                fi
+        fi
+done
+done
+for p in 1 2; do
        trace "simple clear forwarding proto $p"
        ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
author	Colin Watson <cjwatson@debian.org>	2007-06-12 16:16:35 +0000
committer	Colin Watson <cjwatson@debian.org>	2007-06-12 16:16:35 +0000
commit	b7e40fa9da0b5491534a429dadb321eab5a77558 (patch)
tree	bed1da11e9f829925797aa093e379fc0b5868ecd /regress
parent	4f84beedf1005e44ff33c854abd6b711ffc0adb7 (diff)
parent	086ea76990b1e6287c24b6db74adffd4605eb3b0 (diff)

diff --git a/regress/Makefile b/regress/Makefile index 4f47bc3fd..539956398 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $	1	# $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
2		2
3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec	3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4	tests: $(REGRESS_TARGETS)	4	tests: $(REGRESS_TARGETS)
@@ -40,7 +40,9 @@ LTESTS= connect \
40	forwarding \	40	forwarding \
41	multiplex \	41	multiplex \
42	reexec \	42	reexec \
43	brokenkeys	43	brokenkeys \
		44	cfgmatch \
		45	forcecommand
44		46
45	USER!= id -un	47	USER!= id -un
46	CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \	48	CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
@@ -49,8 +51,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
49	rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \	51	rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
50	rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \	52	rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
51	ls.copy banner.in banner.out empty.in \	53	ls.copy banner.in banner.out empty.in \
52	scp-ssh-wrapper.scp ssh_proxy_envpass \	54	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
53	remote_pid	55	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
54		56
55	#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp	57	#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
56		58


diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 6186a8d48..e5fcedda7 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $	1	# $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="disallow agent attach from other uid"	4	tid="disallow agent attach from other uid"
@@ -12,6 +12,11 @@ then
12	echo "skipped (not supported on this platform)"	12	echo "skipped (not supported on this platform)"
13	exit 0	13	exit 0
14	fi	14	fi
		15	if [ -z "$SUDO" ]; then
		16	echo "skipped: need SUDO to switch to uid $UNPRIV"
		17	exit 0
		18	fi
		19
15		20
16	trace "start agent"	21	trace "start agent"
17	eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null	22	eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null


diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 4de2638e4..d5892ed03 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh
@@ -41,7 +41,7 @@ EOF
41	if [ $? -ne 0 ]; then	41	if [ $? -ne 0 ]; then
42	fail "gdb failed: exit code $?"	42	fail "gdb failed: exit code $?"
43	fi	43	fi
44	egrep 'ptrace: Operation not permitted.\|procfs:.Permission denied.\|ttrace attach: Permission denied.\|procfs:.: Invalid argument.' >/dev/null ${OBJ}/gdb.out	44	egrep 'ptrace: Operation not permitted.\|procfs:.Permission denied.\|ttrace.Permission denied.\|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
45	r=$?	45	r=$?
46	rm -f ${OBJ}/gdb.out	46	rm -f ${OBJ}/gdb.out
47	if [ $r -ne 0 ]; then	47	if [ $r -ne 0 ]; then


diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh new file mode 100644 index 000000000..d987dcb97 --- /dev/null +++ b/regress/cfgmatch.sh
@@ -0,0 +1,106 @@
		1	# $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="sshd_config match"
		5
		6	pidfile=$OBJ/remote_pid
		7	fwdport=3301
		8	fwd="-L $fwdport:127.0.0.1:$PORT"
		9
		10	stop_client()
		11	{
		12	pid=`cat $pidfile`
		13	if [ ! -z "$pid" ]; then
		14	kill $pid
		15	sleep 1
		16	fi
		17	}
		18
		19	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		20
		21	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
		22	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
		23	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
		24
		25	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
		26	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
		27	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
		28
		29	start_sshd
		30
		31	#set -x
		32
		33	# Test Match + PermitOpen in sshd_config. This should be permitted
		34	for p in 1 2; do
		35	rm -f $pidfile
		36	trace "match permitopen localhost proto $p"
		37	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
		38	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		39	fail "match permitopen proto $p sshd failed"
		40	sleep 1;
		41	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
		42	fail "match permitopen permit proto $p"
		43	stop_client
		44	done
		45
		46	# Same but from different source. This should not be permitted
		47	for p in 1 2; do
		48	rm -f $pidfile
		49	trace "match permitopen proxy proto $p"
		50	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
		51	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		52	fail "match permitopen proxy proto $p sshd failed"
		53	sleep 1;
		54	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
		55	fail "match permitopen deny proto $p"
		56	stop_client
		57	done
		58
		59	# Retry previous with key option, should also be denied.
		60	echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
		61	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
		62	echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
		63	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
		64	for p in 1 2; do
		65	rm -f $pidfile
		66	trace "match permitopen proxy w/key opts proto $p"
		67	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
		68	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		69	fail "match permitopen w/key opt proto $p sshd failed"
		70	sleep 1;
		71	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
		72	fail "match permitopen deny w/key opt proto $p"
		73	stop_client
		74	done
		75
		76	# Test both sshd_config and key options permitting the same dst/port pair.
		77	# Should be permitted.
		78	for p in 1 2; do
		79	rm -f $pidfile
		80	trace "match permitopen localhost proto $p"
		81	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
		82	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		83	fail "match permitopen proto $p sshd failed"
		84	sleep 1;
		85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
		86	fail "match permitopen permit proto $p"
		87	stop_client
		88	done
		89
		90	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		91	echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
		92	echo "Match User $USER" >>$OBJ/sshd_proxy
		93	echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
		94
		95	# Test that a Match overrides a PermitOpen in the global section
		96	for p in 1 2; do
		97	rm -f $pidfile
		98	trace "match permitopen proxy w/key opts proto $p"
		99	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
		100	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		101	fail "match override permitopen proto $p sshd failed"
		102	sleep 1;
		103	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
		104	fail "match override permitopen proto $p"
		105	stop_client
		106	done


diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh new file mode 100644 index 000000000..592511143 --- /dev/null +++ b/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
		1	# $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="cipher speed"
		5
		6	getbytes ()
		7	{
		8	sed -n '/transferred/s/.secs (\(. bytes.sec\).*/\1/p'
		9	}
		10
		11	tries="1 2"
		12	DATA=/bin/ls
		13	DATA=/bsd
		14
		15	macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
		16	ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
		17	arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
		18
		19	for c in $ciphers; do for m in $macs; do
		20	trace "proto 2 cipher $c mac $m"
		21	for x in $tries; do
		22	echo -n "$c/$m:\t"
		23	( ${SSH} -o 'compression no' \
		24	-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
		25	exec sh -c \'"dd of=/dev/null obs=32k"\' \
		26	< ${DATA} ) 2>&1 \| getbytes
		27
		28	if [ $? -ne 0 ]; then
		29	fail "ssh -2 failed with mac $m cipher $c"
		30	fi
		31	done
		32	done; done
		33
		34	ciphers="3des blowfish"
		35	for c in $ciphers; do
		36	trace "proto 1 cipher $c"
		37	for x in $tries; do
		38	echo -n "$c:\t"
		39	( ${SSH} -o 'compression no' \
		40	-F $OBJ/ssh_proxy -1 -c $c somehost \
		41	exec sh -c \'"dd of=/dev/null obs=32k"\' \
		42	< ${DATA} ) 2>&1 \| getbytes
		43	if [ $? -ne 0 ]; then
		44	fail "ssh -1 failed with cipher $c"
		45	fi
		46	done
		47	done


diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh new file mode 100644 index 000000000..99e51a60f --- /dev/null +++ b/regress/forcecommand.sh
@@ -0,0 +1,42 @@
		1	# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="forced command"
		5
		6	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		7
		8	echon 'command="true" ' >$OBJ/authorized_keys_$USER
		9	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
		10	echon 'command="true" ' >>$OBJ/authorized_keys_$USER
		11	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
		12
		13	for p in 1 2; do
		14	trace "forced command in key option proto $p"
		15	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ \|\|
		16	fail "forced command in key proto $p"
		17	done
		18
		19	echon 'command="false" ' >$OBJ/authorized_keys_$USER
		20	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
		21	echon 'command="false" ' >>$OBJ/authorized_keys_$USER
		22	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
		23
		24	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		25	echo "ForceCommand true" >> $OBJ/sshd_proxy
		26
		27	for p in 1 2; do
		28	trace "forced command in sshd_config overrides key option proto $p"
		29	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ \|\|
		30	fail "forced command in key proto $p"
		31	done
		32
		33	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		34	echo "ForceCommand false" >> $OBJ/sshd_proxy
		35	echo "Match User $USER" >> $OBJ/sshd_proxy
		36	echo " ForceCommand true" >> $OBJ/sshd_proxy
		37
		38	for p in 1 2; do
		39	trace "forced command with match proto $p"
		40	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ \|\|
		41	fail "forced command in key proto $p"
		42	done


diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 3b171144f..9ffbb3dd4 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $	1	# $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="local and remote forwarding"	4	tid="local and remote forwarding"
@@ -34,6 +34,36 @@ for p in 1 2; do
34	done	34	done
35		35
36	for p in 1 2; do	36	for p in 1 2; do
		37	for d in L R; do
		38	trace "exit on -$d forward failure, proto $p"
		39
		40	# this one should succeed
		41	${SSH} -$p -F $OBJ/ssh_config \
		42	-$d ${base}01:127.0.0.1:$PORT \
		43	-$d ${base}02:127.0.0.1:$PORT \
		44	-$d ${base}03:127.0.0.1:$PORT \
		45	-$d ${base}04:127.0.0.1:$PORT \
		46	-oExitOnForwardFailure=yes somehost true
		47	if [ $? != 0 ]; then
		48	fail "connection failed, should not"
		49	else
		50	# this one should fail
		51	${SSH} -q -$p -F $OBJ/ssh_config \
		52	-$d ${base}01:127.0.0.1:$PORT \
		53	-$d ${base}02:127.0.0.1:$PORT \
		54	-$d ${base}03:127.0.0.1:$PORT \
		55	-$d ${base}01:127.0.0.1:$PORT \
		56	-$d ${base}04:127.0.0.1:$PORT \
		57	-oExitOnForwardFailure=yes somehost true
		58	r=$?
		59	if [ $r != 255 ]; then
		60	fail "connection not termintated, but should ($r)"
		61	fi
		62	fi
		63	done
		64	done
		65
		66	for p in 1 2; do
37	trace "simple clear forwarding proto $p"	67	trace "simple clear forwarding proto $p"
38	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true	68	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
39		69